ShadowPad: Backdoor in enterprise server software exposed

A backdoor in a server software management platform used by hundreds of companies across the globe has been exposed by researchers.

Kaspersky Lab revealed the implanted backdoor, discovered in a server management software product from NetSarang utilized by firms in financial services, banking, education, telecoms, manufacturing, energy, and transport, on Tuesday.

Dubbed ShadowPad, the backdoor planted in NetSarang's software, when activated, allowed attackers to download additional malware modules or steal confidential corporate data.

The researchers first came across the backdoor when approached by a partner in July this year to investigate a suspicious domain name server (DNS) which was requesting data from a system involved in financial transactions.

Upon investigation, Kaspersky found the origin of these requests to be from the legitimate NetSarang software, but a hidden malicious module added in a recent version of the software issued the requests once every eight hours, having burrowed into one of the code libraries used by the software, nssock2.dll.

"The most worrying finding was the fact that the vendor did not mean for the software to make these requests," Kaspersky said.

Information scraped from these requests included basic system information, such as user names, domain names, and host names.

However, if the stolen data was of interest to the cyberattackers, the malware's command and control (C&C) server would then issue a malware payload to install a full backdoor program on the victim system.

Once installed, the hackers could enjoy open season on the system for surveillance, theft, process creation, file uploads or the deployment of new malware silently and without detection.

Kaspersky is not entirely sure of who created the module or how the infection came to be.

The security firm said the attack techniques are very similar to ones linked to Chinese-speaking cyberespionage groups PlugX and Winnti, however, "a precise connection has not been established."

When the researchers unmasked the backdoor, now detected as Backdoor.Win32.ShadowPad.a, they immediately contacted NetSarang, which released an updated version of its server management system without the malware module.

A single instance of the backdoor being deployed was spotted in Hong Kong, but the research team warns that it may be lying in wait on other infected systems, and so corporations should make sure the updated version is installed without delay.

"Regretfully, the Build release of our full line of products on July 18, 2017, was unknowingly shipped with a backdoor, which had the potential to be exploited by its creator," NetSarang said in a statement. "The security of our customers and user base is our highest priority and ultimately, our responsibility."

"The fact that malicious groups and entities are utilizing commercial and legitimate software for illicit gain is an ever-growing concern and one that NetSarang, as well as others in the computer software industry, is taking very seriously," the company added.

Read more:

• Beyond Stuxnet and Flame: Equation 'most advanced' cybercriminal gang recorded
• Kaspersky Lab files more antitrust complaints against Microsoft
• Remote code execution flaws exposed in Kaspersky Server software

Must-have mobile apps to encrypt your texts and calls